Wednesday, October 31, 2007

As a follow up to the prior blog post, recent reports from VISA USA illustrate the Faustian choice many merchants are faced with when considering what to do about the requirements for PCI -DSS compliance. Former Level 4 merchants had until September 30, 2007 to demonstrate compliance, with non-compliance carrying stiff penalties. However, the complexity of the standards and the expense of overhauling IT practices have caused many merchants to decide to accept the fines rather than to incur the expense. This is an unfortunate development for the cause of privacy professionals and others who have been advocating tighter security standards as the best preventive steps against data security breaches. The President and CEO of VISA, Philip Coghlin, recently indicated that only 20% of VISA merchants are PCI-DSS compliant. But he also indicated that the industry was advocating even tighter security standards. Such an approach ignores the potential merchant noncompliance with the security standards may have on consumer trust of e-commerce. If the standards are difficult to comply with so that compliance is lagging, consumer confidence in the electronic delivery system could erode. article

Tuesday, October 30, 2007

Computer World has an article (link) up by Dan Sarel, vice president of products at a database security company, in which Mr. Sarel provides his perspective on "Why we still invite data breaches." The article mentions various breaches (e.g., TJX, Monster.com, Fidelity Information Services), and laments that

It may be impossible to secure enterprise data completely, but as the threat landscape changes, enterprise security has been slow to catch up. For some, new standards such as the credit card industry's PCI-DSS served as a wakeup call. Yet many companies that have gone through the process of complying with new security standards still remain far from securing themselves.

While I think Mr. Sarel's point that many companies are still not secure is basically accurate, I was surprised about his characterization of companies that have gone through the process of complying with the new security standards as "far from securing themselves." Actually complying with the relevant standards can have a significant impact on an organization's security. Case in point: TJX. According to publicly available data, that company's breach was made much worse than it had to have been because TJX had basically no idea what was going on - even to the point that hackers passed encrypted messages to each other over TJX's network. That type of use of a compromised network would have been detected if TJX had been following the 10th requirement of the PCI DSS: track and monitor all access to network resources and cardholder data. Rather than leaving a company far from securing itself, compliance with the applicable regulations (e.g., GLBA, HIPAA, PCI DSS) actually leads to better security. This is something that Mr. Sarel glosses over when lumping compliant and non-compliant entities together, and, in my opinion, is something that weakened his article overall.

Friday, October 26, 2007

Two recent reports illustrate the importance of coordination of security measures among various internal functions. A recently released security intelligence report and survey by Microsoft revealed that the failure of various company functions to coordinate security efforts is a primary reason for mismanagement of data, and increases the odds of the occurrence of a data security breach. Microsoft article The survey found that the marketing function, the privacy function, and the security function all tend to think that the IT department is taking care of securing the company's data. Further, security and privacy functions depend on the marketing function to operate in a manner that protects sensitive data. The study found a direct relationship between the incidence of data security breaches and the extent of collaboration among departments. In those companies where there was good collaboration among departments, the incidence of a breach was only 29%, compared to 75% in those companies with poor collaboration. Two recently reported data security breaches by Home Depot Home Depot report and Iron Mountain Iron Mountain report also underscore the importance of various company functions working together to assure that security measures adopted are actually serving the desired purpose. Neither case involved infiltration of the companies' systems, but were the result of either lost or stolen laptop or backup disks. Both companies rushed to reassure potential victims that the data was password protected, and in the case of Home Depot, that it was encrypted. However, even though the IT departments in these cases has properly acted to institute such protections of customer and employee data, it is important to work with the legal function and other senior management to be certain that it is possible to prove that the stolen data in fact can't be tampered with. By working together, a company's collective expertise will provide the optimum protections against data security breaches.

Thursday, October 25, 2007

Apparently, the TJX breach could have been bigger than previously estimated. According to court papers filed by plaintiff banks and bankers associations seeking class certification (described in this article from Computer World, TJX's breach actually exposed 94 million records, not the 45 million records previously announced. According to the banks, the costs to card issuing companies on Visa accounts alone already total between $68 and $83 million.So what will the practical effect of all this be for TJX? More bad publicity for one, but that shouldn't be a surprise. There will also be higher legal fees, since more money at stake means that everyone involved will fight more tenaciously. Will TJX be forced to pay the bank's losses? That's a more interesting question. Individuals who try to recover from retailers who suffer from data breaches generally have little success (see, e.g., this post about a case which was thrown out in the seventh circuit). However, the bankers might have better luck. Individuals often lose because courts determine that they can't prove damages from a breach, but the bankers are in a much better position to put actual numbers on the harm they claim to have suffered. On the other hand, the current case is taking place in Boston, and Massachusetts (like every other state in the country except Minnesota) does not have a law which shifts costs of a breach from banks to retailers. This is the case even though Massachusetts was considering such a law earlier this year (see here for an article on that proposed law). My guess is that courts would be reluctant to shift costs from retailers to banks when the legislature considered and rejected such a cost shift itself. Happily, I'm not personally involved in this case, so I can just watch and see how it shakes out.

Sunday, October 21, 2007

Recently, Congress has been making some pro-consumer noises on the subject of privacy and information security. According to this article from C|NET, a bill has been introduced in the Senate which would "let victims of identity theft seek restitution for money and time they spent repairing their credit history." My thought is that the bill (assuming it passes, which isn't a sure thing) won't have much practical effect. The law already allows identity theft victims to obtain restitution (and more) from identity thieves and I don't see that federalizing remedies will make much difference. However, the fact that Congress even sees the need to grandstand on this issue is a heartening sign to privacy advocates, since generally concerns about information security and data privacy are, at best, used as stalking horses for things people really care about.

Tuesday, October 16, 2007

The proposed legislation I wrote about here and here, which would have made retailers in California liable for the cost of replacing credit cards of individuals whose data is exposed in the event of a security breach was vetoed by Governor Schwarzenegger (details in this article from Computer World). In explaining his veto, Schwarzenegger cited private sector efforts to address the risk of data breaches, such as the PCI DSS, and stated that those efforts showed that private actors were well placed to handle this issue without government involvement. Whether you buy that reasoning or not, the bottom line is that the bill is dead, at least for now (though its proponents have vowed to keep fighting). This leaves Minnesota as the only state with a data breach notification law which shifts costs of card replacement from financial instutions to retailers.

Monday, October 15, 2007

The Economic Times reports welcome news from Nasscom, the the IT industry trade organization of India. The Data Security Council of India (DSCI), which was initiated by Nasscom in recognition of the need to address the lack of security standards for the burgeoning Indian business process outsourcing (BPO) business, has formed a steering committee to look into data security standards. see news bulletin For the last several years, Nasscom has been unsuccessful at getting the Indian legislature to enact data protection legislation. Indian law affords minimal protections for the privacy of personal information. Considering that by some accounts, India controls 44% of the global outsourcing and back-office services, India's BPO clients must rely exclusively on contractual assurances that their customers and employees' data security will not be compromised. The 21 member steering committee is charged with reviewing current security status and development of a business model for DSCI. Additionally, the committee will develop draft model contract templates. Nasscom President, Kiran Karnik, said that the DSCI would work with enforcement agencies to conduct training and awareness programs. Should the committee's work produce the intended results, it will provide some welcome relief and additional assurance to the thousands of companies that have contracts in place with Indian BPOs, and perhaps the motivation to revisit their contracts to adopt the standards if they are adequate for their purposes.

Saturday, October 13, 2007

My guess is that basically everyone is aware, on at least some level, that George Clooney was involved in a motorcycle accident (if not, the CNN story is here). Normally, this is something that would hold no interest for me, and it certainly wouldn't be worth putting in a blog about information security and data privacy. In this case though, there's a twist...it seems that this "news" was broken by personnel at the hospital where Clooney was treated after the crash, with nontreating employees accessing Clooney's medical records and passing them, along with other information like Clooney's girlfriend's phone number to the press (details here). Such a leak is a clear violation of the HIPAA privacy rules (available here, which as a general rule, require consent for the disclosure of personally identifiable health information. 45 C.F.R. 164.508(a)(1) ("Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section."). Of course, it is possible to de-identify information in compliance with HIPAA. However, there is no chance that the information provided about Clooney could be considered properly de-identified.

So what are the consequences of such a blatant violation? So far, 40 employees at the facility where Clooney was treated are under investigation, and more than two dozen have been suspended without pay. A representative from their union said that the punishment is too harsh, but I'm curious what she expected. Under HIPAA, a health care provider "must have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of this subpart." 45 C.F.R. 164.530(e)(1). Translation: no matter how sorry the employees are, they are still subject to their employer's sanction policy, which the employer is required by law to enforce.

The take home message of all this? Don't disclose personally identifiable health information, especially not to the media. If you do, federal law requires that you be punished.

Wednesday, October 10, 2007

As an increasing number of state legislatures adopt credit freeze laws, two of the three major credit reporting agencies have announced that they will also make credit or security freezes available to all consumers nationwide at a nominal fee. For victims of identity theft, there will be no fee.

To date, only 11 states have not enacted some form of credit freeze law. states listing.

A credit freeze is one of the best tools available to a consumer to thwart an identity thief from continuing fraudulent activities involving a consumer's personal information. A credit freeze is an order to a credit bureau to stop sharing information from a credit report without your express authorization.

Beginning October 15, 2007, TransUnion will permit a consumer in those states where no credit freeze laws have been passed to freeze their information for a $10 fee, or for no fee if the consumer is an identity theft victim. Experian has announced they will make the same service available to all consumers for the same fee, effective November 1, 2007. Equifax has announced that it will also offer credit freezes, but has not provided any details.

The state laws vary considerably with respect to fee caps, duration of freeze, and the ability to lift the freeze temporarily, or with respect to a specific creditor. While the credit bureaus' decisions to permit credit freezes are to be applauded, their initial opposition to some of the state legislative efforts prevented this prevention tool from being available to consumers earlier. Many state legislators were subjected to lobbying against these bills by the credit bureaus as well as their customers -- banks, insurance companies, department stores, and big box retailers. Credit bureaus have long counted on the revenue from selling consumers' credit files to third party creditors, and the users didn't want the flow of this valuable source of potential customers to be stemmed. Clearly, the tide has turned in favor of credit freeze laws, with Congress stepping up with credit freeze provisions in the several pending data breach notification bills, which would preempt the state laws.

Tuesday, October 9, 2007

In Mayfield v. U.S., a federal district judge ruled that the two provisions of the USA PATRIOT Act violate the Fourth Amendment of the United States Constitution because they allow surveillance without probable cause. This decision shows that six year after the Patriot Act passed, privacy concerns still exist regarding its use and scope. Indeed, privacy concerns were raised within a week of the act passing in 2001. In Mayfield, these privacy concerns were somewhat relieved.

Brandon Mayfield is a 38-year old American citizen. He is a former Army office with an honorable discharge and a practicing lawyer. Prior to his arrest based on the Patriot Act, he had never been arrested. Mayfield is Muslim.

In 2004, the FBI began surveillance on Mayfield and his family. The FBI followed them to work, school, the Mosque they attend, and other places. The FBI also placed electronic surveillance devices in their home.

The FBI contends that it took this action because it believer, based on a partial match fingerprint, that Mayfield may have been involved in the terrorists bombings in Madrid, Spain on March 11, 2004. But, the Spanish National Police did not share this conclusion. Regardless, the FBI arrested Mayfield and imprisoned him for two weeks. Mayfield was released when the Spanish National Police informed the FBI that the fingerprint actually belonged to an Algerian, Ouhane Daoud.

While the facts of Mayfield's arrest are interesting, they are not directly relevant to the court opinion because he brought a facial challenge to the two provisions, not an as-applied challenge. In other words, the focus of his claim is that the two provisions at issue always violate the Fourth Amendment, not just in his particular case.

Specifically, Mayfield challenged the way in which the Patriot Act amended FISA. Before the Patriot Act, the government could only get a search warrant from a FISA court if the "primary purpose" was related to gathering national security intelligence. The Patriot Act lowered the standard to allow FISA warrants when merely a "significant purpose" of the warrant was related to national security intelligence. Thus, the Patriot Act allowed the government to obtain FISA court warrants when the primary purpose was to gather evidence related to domestic criminal activity. This lower standard violates the Fourth Amendment's probable cause requirement.

As the Mayfield court stated:

Since the adoption of the Bill of Rights in 1791, the government has been prohibited from gathering evidence for use in a prosecution against an American citizen in a courtroom unless the government could prove the existence of probable cause that a crime has been committed. The hard won legislative compromise previously embodied in FISA reduced the probable cause requirement only for national security intelligence gathering. The Patriot Act effectively eliminates that compromise by allowing the Executive Branch to bypass the Fourth Amendment in gathering evidence for a criminal prosecution.

As a remedy to Mayfield, the court not only found this change in the law unconstitutional, it ruled that the "Executive Branch must destroy or otherwise eliminate" the materials in its files that were the fruits of the unconstitutional search.

In short, the privacy implications of this case relate to the government's ability to conduct surveillance and create and retain databases of information on American citizens using FISA without having to prove probable cause, even when the primary purpose of the surveillance is not related to national security. While this decision is a victory for privacy interests, it is not the last word. Most likely, the government will appeal. Nonetheless, six year after passing the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorists Act (aka USA Patriot Act), privacy concerns seem to be getting some traction in the courts.

Monday, October 8, 2007

As described in this article from Computer World, last week representatives from AT&T, Verizon and Quest appeared before the House Committee on Energy and Commerce to explain how government agencies sought to obtain information on consumer telephone and Internet use. At first blush, this seems odd. After all, the House Committee on Energy and Commerce is part of the House of Representatives - and it would seem that the most direct way for the House of Representatives to find out how some other government personnel were obtaining information would be to simply ask them. However, all is not as it seems with the committee hearings. First, instead of being hearings to rake the telecoms over the coals for violating the privacy of their customers, these hearings are essentially a pity party organized by AT&T (article on some of the behind the scenes maneuvering here) in support of passage retroactively immunizing telecoms for violating the privacy of their customers. So why would AT&T want retroactive liability for violating its customers' privacy? My guess is that AT&T's lawyers have told it that it's likely to lose its case against the electronic freedom foundation which is currently on appeal before the 9th Circuit (details on the ongoing case can be found here). So, where the lawyers fail, the lobbyists swing into action...and we learn that actually obeying the law is completely unnecessary if you have enough money to buy retroactive immunity.

As a note, I am aware that the ACLU, which is normally on the side of the angels when it comes to privacy, has spoken favorably on the house hearings (see, e.g., here). However, I'm still very skeptical. In support of my skepticism, I will cite the position of representative Dingell, who stated that the committee wanted to "examine the difficult position of the phone companies who may have been asked by the government to violate the privacy of their customers without the assurance of liability protections." To me, that sounds like a person who is preparing to step into defend the poor, oppressed telecoms, not a person who is about to exercise some oversight. It's possible that I could be wrong, but I'll wait till AT&T loses at the 9th circuit and no retroactive immunity is granted before I'll conclude that this hearing was about consumer privacy rather than protecting large corporations.

Thursday, October 4, 2007

Recently, I was invited to do some guest posting at Metlin - an eclectic blog run by Karthik Narayanaswami, a multi-talented (quantum physics, programming, mathematics and mountaineering, to name just a few) friend of mine from Cincinnati. My first post can be found here and, as advertised, it has nothing to do with information security or data privacy.

Tuesday, October 2, 2007

Two new government initiatives to restrict the use of Social Security numbers have put banks on the defensive. As part of President Bush's Identity Theft Task Force, the FTC has sought comment on the necessity for such a widespread use of Social Security numbers and alternatives. In addition, the House Ways and Means Committee has approved a bill that would strictly limit the "sale, purchase, or display" of Social Security numbers. This bill is expected to be voted on this fall, but a companion bill has not yet been introduced in the House. Analysts say that the banking industry has voiced opposition to any efforts to limit the use of Social Security numbers, since these numbers are an integral part of their customer information files. Bank Technology News However, they are in danger of finding themselves in the midst of a public relations snafu, since it would not reflect well on banks to oppose efforts to protect customers' identity. Further, banks would arguably benefit from limiting the use of Social Security numbers in connection with account relationships, since one category of bank fraud losses, new account fraud, is directly tied to the use of stolen Social Security numbers. But those losses pale in comparison to the costs banks would incur in being required to shift to a different customer idenification number system.

Monday, October 1, 2007

According to a study conducted by Canadian privacy authorities, TJX failed to utilize sufficient security precautions which would have prevented the security breach experienced by the retail giant earlier this year. Jennifer Stoddart, the Privacy Commissioner of Canada, commented on the report, identifying TJX's information gathering and retention policies, as well as weak encryption technology, as the reason that the criminal groups were able to carry out the largest data security theft to date. Stoddart cited the TJX incident as a wake up call to other businesses that collect personal information. See this article. The Disposal Rule imposed by U.S. regulations is intended to prevent companies from retaining customers' personal information longer than necessary, but unfortunately it only applies to consumer credit reports. Retailers run the same risk of a security breach as TJX does if they do not heed the "wakeup call." Collecting unnecessary information in connection with a transaction and retaining it indefinitely presents an example of sloppy information management, and can provide criminal groups with a treasure trove of data ripe for resale and abuse.

Contributors

Other Sites

Privacy Statement

The authors value the privacy of their blog viewers. This site does not currently collect personal identifying information ("PID"), except: (1) to the extent that your browser provides PID, like your e-mail address or the site you linked from, to this site's server; (2) to the extent that you provide PID to this site in an e-mail; and (3) to the extent that you provide PID to this site in a CGI form (for example, when you complete a search request on this site’s “Search this Site” search feature. Your PID will be used only for the specific purpose for which you submitted the PID, except that it may be used in an aggregated form to gauge the popularity of this site. "Cookies" are pieces of information that some web sites transfer to the computer that is browsing that web site, and are used for record-keeping purposes at many web sites. Use of Cookies performs certain functions such as saving your passwords, lists of potential purchases, and your personal preferences regarding your use of the particular web site. This site uses Cookies to gather anonymous traffic data. Your browser is probably set to accept Cookies. However, if you would prefer not to receive Cookies, you can alter the configuration of your browser to refuse Cookies. This site contains links to other sites. The authors and their employers do not share your personal information with those sites and are not responsible for their privacy policies. We encourage you to learn about the privacy policies of those entities. Children under 13 years old are not the target audience of this site. To protect their privacy, the authors prohibit the solicitation of personal information from these children. The authors reserve the right to change this Privacy Policy at any time by posting a new privacy policy at this location. You can e-mail any further questions to wmorriss@fbtlaw.com.

Disclaimer

This site is provided for informational purposes only. The views expressed herein are solely those of the authors and should not be attributed to their employer or their clients. These materials do not constitute legal advice and do not create an attorney-client relationship between you and us. Please note that you are not considered a client until you have signed a retainer agreement and your case has been accepted by us. This site should not be used as a substitute for competent legal advice from a licensed professional attorney in your state. Got it? THIS SITE IS "AS IS." WE MAKE NO REPRESENTATIONS AS TO THE ACCURACY, TIMELINESS OR COMPLETENESS OF THE STUFF HERE AND YOU SHOULD NOT RELY UPON IT. USE AT YOUR OWN RISK. WE EXPRESSLY DISCLAIM ALL WARRANTIES. This may be an advertisement. Your mileage may vary. Past performance does not guarantee future returns. Do not run with scissors.
NOTE: This disclaimer is largely taken from the established and extremely well written blog Patent Baristas.